Locked out?

Many of you know this, but we want to send a reminder: if you forget your password, we won’t give you a new one because you ask.

Part of working on more secure communications means we don’t track who you are, which means we have no way to verify you are actually you if you ask for your password. If you have forgotten your password, the only way to regain access to your account is with the ‘I forgot my password’ form, which will only give you account access if you have an alternate email address on file for your account, and you still have access to that alternate email address.

We don’t like to store alternate email addresses (or any data) for you, so we don’t recommend that you have one, but if you are concerned that you might forget your password, then you should set one. In any case, you should be aware whether you have an alternate email address saved, and if so, what it is. Directions to change or delete your saved alternate email address are here:

Don’t click through scary security warnings!

As you may have heard[1], some people have been targeting Riseup users with a “man in the middle attacks” that seek to steal account information. In particular, they have targeted people accessing Riseup over Tor (Tor is a way to use the internet with greater anonymity). In order for their attacks to work, individual users must click through a scary security warning that says something like (in the case of Firefox):

This Connection is Untrusted

You have asked Firefox to connect securely to,
but we can't confirm that your connection is secure

If you see one of these warnings when you are navigating to a Riseup site you should NOT continue to the site or enter any account information.

A special note for people using Tor: you should use Riseup’s .onion addresses and verify that these addresses are correct.[2] Once you have done so, however, you do not need to use https:// to access the hidden service because hidden services are end-to-end encrypted.

[1] [2]

Tidying up lists

It’s starting to be spring in this neck of the woods, which means I’ve been throwing crap out and tidying things up. Perhaps you could do the same?

If you are a list administrator, why not give a look at the members of your list and clean up any people who aren’t part of your project any more. This is a good idea for two reasons:

(1) It’s a nice security practice in general: only communicate with the people who need to know.

(2) Every now and then we get reported as Spam to one of the big email providers because people are tired of getting messages from your list and are unclear on what Spam is. So they report us, we get blocked, and lists can be screwed up for hours or days for everyone. Ugh.